---
redirect_from:
  - /workspace/sso/okta
---

# Okta

Cube Cloud supports authenticating users through Okta, which is useful when you
want your users to access Cube Cloud using single sign on. This guide will walk
you through the steps of configuring SAML authentication in Cube Cloud with
Okta. You **must** be an account administrator in your Okta organization to
access the Admin Console and create a SAML integration.

<SuccessBox>

Single sign-on with Okta is available in Cube Cloud on
[Enterprise](https://cube.dev/pricing) tier.
[Contact us](https://cube.dev/contact) for details.

</SuccessBox>

## Enable SAML in Cube Cloud

First, we'll enable SAML 2.0 authentication in Cube Cloud. To do this, log in to
Cube Cloud and

1.  Click your username from the top-right corner, then click <Btn>Team &
    Security</Btn>.

2.  On the <Btn>Authentication & SSO</Btn> tab, ensure <Btn>SAML 2.0</Btn> is
    enabled:

<Screenshot
  alt="Cube Cloud Team Authentication and SSO tab"
  src="https://ucarecdn.com/f5ff1413-f37c-4476-afcc-0ff29e87e80a/"
/>

Take note of the <Btn>Single Sign On URL</Btn> and <Btn>Audience</Btn> values
here, as we will need them in the next step when we configure the SAML
integration in Okta.

## Create a SAML Integration in Okta

Next, we'll create a [SAML app integration for Cube Cloud in
Okta][okta-docs-create-saml-app].

1.  Log in to your Okta organization as an administrator, then navigate to the
    Admin Console by clicking <Btn>Admin</Btn> in the top-right corner.

2.  Click <Btn>Applications > Applications</Btn> from the navigation on the left
    of the screen, then click <Btn>Create App Integration</Btn>, then
    select <Btn>SAML 2.0</Btn> and click <Btn>Next</Btn>.

<Screenshot src="https://ucarecdn.com/16c9a49c-727f-46de-aa06-9534f92d3104/" />

3.  Enter a name for your application and click <Btn>Next</Btn>. You can
    optionally upload a logo for the application, but this is not required.

<Screenshot src="https://ucarecdn.com/693fa44c-fb78-4eda-a25f-fa645f9679e4/" />

4.  Enter the following values in the <Btn>SAML Settings</Btn> section:

| Name                        | Description                                                 |
| --------------------------- | ----------------------------------------------------------- |
| Single sign on URL          | Use the <Btn>Single Sign On URL</Btn> value from Cube Cloud |
| Audience URI (SP Entity ID) | Use the <Btn>Audience</Btn> value from Cube Cloud           |

<Screenshot src="https://ucarecdn.com/f7e49547-e0ad-4fa3-902b-536e5926a0bc/" />

5.  Scroll down to the <Btn>Attribute Statements</Btn> section and create the
    following entries:

| Name    | Name format | Value            |
| ------- | ----------- | ---------------- |
| `email` | Basic       | `user.email`     |
| `name`  | Basic       | `user.firstName` |

<Screenshot src="https://ucarecdn.com/413cc680-68fc-46ac-9124-caed1f61df2f/" />

6.  Click <Btn>Next</Btn> to go to the <Btn>Feedback</Btn> screen, fill in any
    necessary details and then <Btn>Finish</Btn> to complete the integration:

<Screenshot src="https://ucarecdn.com/a6ec09dc-0cd6-46e6-991b-3e158a44ffa4/" />

You should now see your new SAML app integration's details. Click the <Btn>Sign
On</Btn> tab:

<Screenshot src="https://ucarecdn.com/4d262685-4271-4390-b1ea-950df1a107ac/" />

From under <Btn>Settings > Sign on methods > SAML 2.0</Btn>, click <Btn>More
details</Btn>:

<Screenshot src="https://ucarecdn.com/07ed09df-0e14-4f59-9f03-1d880f0f9ddb/" />

Take note of the <Btn>Sign on URL</Btn>, <Btn>Issuer</Btn> and <Btn>Signing
Certificate</Btn> values, as we will need them in the next step.

## Enable SAML in Cube Cloud

In this step, we'll finalise the configuration by entering the values from our
SAML integration in Okta into Cube Cloud.

1.  From the same <Btn>Authentication & SSO > SAML 2.0</Btn> tab, click the
    <Btn>Advanced Settings</Btn> tab:

<Screenshot src="https://ucarecdn.com/5359c52e-69c1-45fa-baf2-d3bb07d72634/" />

2.  Enter the following values in the <Btn>SAML Settings</Btn> section:

| Name                        | Description                                            |
| --------------------------- | ------------------------------------------------------ |
| IdP Issuer (IdP Entity ID)  | Use the <Btn>Issuer</Btn> value from Okta              |
| Identity Provider Login URL | Use the <Btn>Sign on URL</Btn> value from Okta         |
| Certificate                 | Use the <Btn>Signing Certificate</Btn> value from Okta |

3.  Scroll down and click <Btn>Save SAML 2.0 Settings</Btn> to save the changes.

## Log in with Okta

The last step is to start using SAML authentication. To do this, use the
following instructions:

1.  Click your username from the top-right corner, then click <Btn>Team &
    Security</Btn>.

2.  On the <Btn>Authentication & SSO</Btn> tab, scroll down to <Btn>SAML
    2.0</Btn> and copy the <Btn>Single Sign On URL</Btn> value:

<Screenshot
  alt="Cube Cloud Team Authentication and SSO tab"
  src="https://ucarecdn.com/f5ff1413-f37c-4476-afcc-0ff29e87e80a/"
  highlight="inset(54% 3% 39% 3% round 10px)"
/>

3.  Open a new browser tab and paste the <Btn>Single Sign On URL</Btn> value
    into the address bar, then press <Btn>Enter</Btn>. You should be redirected
    to Okta to log in, and after a successful login, you should be redirected
    back to Cube Cloud.

[okta-docs-create-saml-app]:
  https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm
